Networks are constantly exposed to security exploits that are of significant concern to network providers. For example, Denial of Service (“DoS”) attacks can cause significant damage to networks and networked devices. A DoS attack is defined as an action taken upon on a computer network or system by an offensive external device that prevents any part of the network from functioning in accordance with its intended purpose. This attack may cause a loss of service to the users of the network and its network devices. For example, the loss of network services may be achieved by flooding the system to prevent the normal servicing for performing legitimate requests. The flooding may consume all of the available bandwidth of the targeted network or it may exhaust the computational resources of the targeted system.
A Distributed Denial of Service (“DDoS”) attack is a more aggressive action that involves multiple offensive devices performing an attack on a single target computer network or system. This attack may be performed in a coordinated manner by these multiple external devices to attack a specific resource of a service provider network. The targeted resource can be any networking device such as routers, Internet servers, electronic mail servers, Domain Name System (“DNS”) servers, etc. Examples of a DDoS attack include (but are not limited to): large quantities of raw traffic designed to overwhelm a resource or infrastructure; application specific traffic designed to overwhelm a particular service; traffic formatted to disrupt a host from normal processing; traffic reflected and/or amplified through legitimate hosts; traffic originating from compromised sources or from spoofed IP addresses; and pulsed attacks (which start/stop attacks).
Other network security threats include Trojan horse attacks that may be embedded in harmless software, viruses that can reproduce themselves and attach to executable files, worms that can spread via stored collections of e-mail addresses, and logic bombs that can remain dormant until triggered by an event (e.g., a date, user action, random trigger, etc.).
Early identification of incoming messages (e.g., packets) that pose a threat to a network can prevent or mitigate damage, since a network device can be impaired by processing or analyzing a threatening packet. One approach is to use a blacklist to block packets from a finite number of addresses. Such a blacklist can be implemented in either software or hardware. However, adding software-based blacklist functionality to an existing network device can have limitations, such as requiring device upgrades or software updates that could cause compatibility issues with the existing network configuration or other network devices, or which may require extensive testing to ensure the changes do not have any undesired effects. Furthermore, blacklists tend to block packets without providing meaningful statistics about blocked traffic and throughput. Devices that perform software processing for detection of threats are usually spaced from the network edge so that upstream devices are exposed before threat detection is performed. Additionally, the software to detect threats can result in reduced throughput and/or bandwidth that can worsen as the number of threatening packets increase.